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Abstract 

In the past several years I have written two SMT solvers called STP and HAMPI that have found 
widespread use in computer security research by leading groups in academia, industry and the gov- 
ernment. In this note I summarize the features of STP/HAMPI that make them particularly suited for 
computer security research, and a brief description of some of the more important projects that use them. 

1 Introduction 

SMT solvers 04] (Satisfiability-Modulo-Theories Solvers) are computer programs that decide the satis- 
fiability problem for rich logics such as the theory of bit-vectors and arrays [10], integers, and datatypes. 
SMT solvers have recently proven to be particularly useful in finding security vulnerabilities, debug- 
ging, and program analysis aimed at security. The reason for the success of SMT solvers are threefold: 
1) The input logic of SMT solvers is rich enough to capture a wide variety of program behavior eas- 
ily and compactly, 2) SMT solvers have become very efficient at solving such formulas obtained from 
real-world applications, and 3) there are very effective techniques now available, such as symbolic exe- 
cution GHMD], that convert computation into SMT formulas. My solvers, STP [10] and HAMPI IfTHl . 
are specifically designed to support computer security applications that perform security analysis aimed 
at finding security vulnerabilities Ifl4l . detecting malware lfT5l and constructing exploits ||2][6]. 

2 STP 

STP IflOl is a solver for a theory of bit-vectors and arrays. STP's logic is tailored to capture programs ex- 
pressions exactly. All modern computer program expressions can be reduced to arithmetic and logic op- 
erations over suitably-sized (32 or 64 bit) bit-vectors or read/write operations over memory. STP's logic 
of bit-vectors captures program expressions, and STP's logic of arrays captures memory read/writes. 
This exact bit-precision allows users to easily encode a variety of security errors (e.g., off-by-one errors, 
memory errors, overflow errors). 

STP has been used in more than 100 research projects, a good number of them are tools that automat- 
ically find security errors or perform binary analysis. Important examples include: BitBlaze project lfl5l 
from Dawn Song's group at Berkeley, The BAP system from David Brumley's group at CMU Bl . 
EXE [8] and KLEE |7] from Dawson Engler's group at Stanford University, S2E project [9 1 from George 
Candea's group at EPFL, Switzerland, Akamai Inc. for finding security errors in mission critical appli- 
cations (contact: Michael Stone), and governmental agencies. A comprehensive list of projects using 
STP can be found at the following website: 

http : //sites . google . com/site/stpf astprover/tools-using- stp 
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3 HAMPI 



HAMPI llT2ll is a solver for a theory of strings that can solve constraints built out of string constants, 
variables, concatenation, extraction and membership in regular expressions and context-free grammars. 
HAMPI is explicity aimed at finding security vulnerabilities, such as XSS attacks and SQL vulnerabili- 
ties, in web applications written in JavaScript, PHP and Python. 

The big users of HAMPI include: The Ardilla tool |[T3l from Michael Ernst's group at MIT and 
University of Washington Seattle, The WebBlaze project |[T4l from Dawn Song's group at Berkeley, and 
Frank Tip's group [ 1 1 at IBM T.J. Watson center at Hawthorne in New York. 

A comprehensive list of all the tools using STP and HAMPI can be found by typing my name and 
following links at the Google Scholar's page: http : //scholar . google . com 
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